Class: Conjur::Policy::Planner::Deny
- Defined in:
- lib/conjur/policy/planner/permissions.rb
Overview
Plans a permission denial.
A Deny statement is generated if the permission is currently held. Otherwise, its a nop.
Instance Attribute Summary
Attributes inherited from Base
Instance Method Summary collapse
Methods inherited from Base
#account, #action, #create_record, #error, #initialize, #log, #record_type, #resource, #resource_exists?, #role, #role_exists?, #role_record, #update_record
Methods included from Logger
Constructor Details
This class inherits a constructor from Conjur::Policy::Planner::Base
Instance Method Details
#do_plan ⇒ Object
55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 |
# File 'lib/conjur/policy/planner/permissions.rb', line 55 def do_plan facts = PrivilegeFacts.new self # Load all the permissions as both requested and existing grants. # Then remove the Deny record, and see what's left. privileges = Array(record.privileges) Array(record.resources).each do |resource| facts.(resource, privileges) do || permit_record = Types::Permit.new permit_record.role = Types::Role.new(['role']) permit_record.role.admin = ['grant_option'] permit_record.privilege = ['privilege'] permit_record.resource = Types::Resource.new(['resource']) facts. permit_record facts. end end facts. record facts.validate! facts.grants_to_revoke.each do |grant| role, privilege, resource = grant deny = Conjur::Policy::Types::Deny.new deny.resource = resource_record resource deny.privilege = privilege deny.role = role_record(role) action deny end end |